Legal Alert | UODO’s sectoral inspection plan for 2026

What does this mean in practice?

Although the plan also covers strictly public areas (SIS/VIS, BIP), from the perspective of the private sector, three categories of controlled entities are key: 

• marketing entities, 
• online delivery platforms, and 
• medical entities.

The UODO explicitly states that the controls are to cover areas where incidents have occurred in the last year, as well as those for which complaints and reports of violations have been received. 

Marketing

The President of the UODO did not specify what he means by "marketing entities". In practice, the inspections may cover both companies conducting commercial communications (e.g., newsletters, email/SMS/telephone campaigns) and entities providing services to them (e.g., agencies, call centres, providers of mailing/marketing automation tools, and entities involved in lead generation).

The designation of "marketing entities" as a separate category of entities means that the UODO may examine the legality and accountability of activities that occur in almost every industry: customer relationship management (CRM) systems, newsletters, marketing and sales campaigns aimed at acquiring customers, remarketing, telemarketing, and loyalty programmes. In practice, UODO most often checks whether a company has the right to use contact details for commercial purposes, where it obtained these details from, and whether customers can easily opt out of promotional activities directed at them (and whether this opt-out works).

Online delivery platforms/marketplaces/intermediary applications

UODO has announced inspections of data processing by platforms intermediating in the sale of goods and services through applications (the scope of the inspections is not limited to mobile applications and may therefore also apply to web applications). In practice, the inspection may concern, among other things, adopted privacy policies and information on data processing provided on contact forms. In addition, for mobile applications, this may concern the scope of data collected, the purpose of collection, location data, or the period of data storage.

Healthcare entities – public and private sectors

The President of the UODO did not explicitly indicate which categories of healthcare entities will be subject to inspections. However, given the authority's practice to date, it can be expected that inspections may concern both public and private entities, including private medical practices and laboratory diagnostic facilities.

In the healthcare sector, UODO’s priority is to examine the use of video surveillance, with particular emphasis on situations where children's data may be processed. Supervisory authorities usually verify, first and foremost, the proportionality of monitoring (whether its scope is excessive, e.g. monitoring covering patients or sensitive situations, even though monitoring entrances and corridors would be sufficient for the declared purpose), the rules of access to recordings, their storage period and the manner of fulfilling information obligations.

Penalties

During the inspection, the President of the UODO may apply both corrective measures (e.g. orders/prohibitions). In addition, after the inspection, the President of the UODO may impose an administrative financial penalty on the inspected entity.

Non-financial penalties – corrective measures

The President of the UODO may, among other things, issue a reprimand or warning and decide to temporarily or completely restrict data processing by a specific entity, as well as prohibit further processing.

Administrative financial penalties 

Depending on the type of infringement, the President of the UODO may impose a penalty on a private entity of up to:

• EUR 10 million or 2% of the undertaking's annual global turnover (whichever is higher) – in the case of infringements relating to organisational and compliance obligations on the part of the controller or processor (including in the areas of security, record keeping and reporting of infringements).

• EUR 20 million or 4% of the company's annual global turnover (whichever is higher) – in the case of the most serious breaches, particularly those concerning the basic principles of processing, the rights of natural persons, data transfers outside the European Economic Area and failure to comply with decisions/orders of the supervisory authority.

From a risk perspective, it is worth treating the plan as a signal to review processes. In the event of an inspection, UODO usually expects evidence that the rules are implemented in practice and not just described in documents. In this regard, it is particularly important to properly train employees involved in data processing.